Significant work remains to produce standards and rules on accounting of disclosures for PHI

The Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the Recovery Act in February 2009 included a variety of revisions included to requirements already in effect under the HIPAA Security and Privacy Rules. Among these requirements is the need for HIPAA-covered entities to maintain an accounting of disclosures of protected health information (PHI) so that it may produce, when requested, a record of such disclosures to the individuals whose PHI has been disclosed. As we’ve noted previously, under the HIPAA Privacy Rule the accounting of disclosure rule covered a six year history, but exempted disclosures for the purposes of treatment, payment, or health care operations (45 CFR §164.528). Once the changes mandated by HITECH take effect, there will no longer be an exemption for these three most common uses of health care information, and the time period for the accounting of disclosures is shortened to three years from six. The original legislation called for the new accounting of disclosure rules to take effect as soon as January 1, 2011 (for entities that newly acquire electronic health record (EHR) technology) and no later than January 1, 2014, although in a move that may prove to have shown great foresight by Congress, the law allows the HHS Secretary to delay the effective dates by two years if such a delay is deemed necessary.

The January 1, 2011 date looks increasingly unlikely, for two primary reasons. First, the language of the HITECH Act instructs HHS to first adopt standards for accounting for disclosure, and then promulgate regulations about what information health care entities (and presumably business associates, since HITECH also made business associated directly responsible for complying with HIPAA requirements) must record about each disclosure (§13405(c)(2)). No such standards have yet been proposed, much less adopted, and at present HHS is still in the process of reviewing comments it received in response to the request for information it published in May of this year. Second, the EHR certification criteria proposed by the Office of the National Coordinator (ONC) in an interim rule published last winter included accounting of disclosures, and so represented a key driver influencing health IT vendors to make sure their EHR systems offered the capability in their products. However, in the revised certification criteria released last week in conjunction with the final version of the meaningful use rules, the accounting of disclosures functionality is now optional, so any sense of urgency vendors might have felt about providing that functionality has likely subsided. Taken together, the absence of standards and regulations on accounting of disclosures and the fact that such functionality is not required in order to certify EHR systems under Stage 1 of meaningful use suggest that the ability for health care providers to actually offer the sort of accounting called for in the HITECH Act may not be pervasive until Stage 2 takes effect in 2013.

In addition to the formal statements of standards and criteria in the “Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology,” ONC included information on the many comments it received and summary responses to those comments. With respect to accounting for disclosures, the decision to make the criterion optional clearly reflected the concerns of multiple commenters about the resource intensiveness of the criterion and the lack of clarity about how the requirement was intended to be satisfied. ONC acknowledges that “significant technical and policy challenges remain unresolved” and notes its expectation that accounting of disclosures rules and standards will likely be the subject of future rulemaking. Other than designating it optional and re-numbering the section where the criterion will be codified (to §170.302(w) rather than §170.302(v)), the text of the criterion remained unchanged from the interim rule to the final version: “Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified.”

What did change in the final version is the wording of the audit standard (§170.210(b)), with a change of just a couple of words that nevertheless may have a significant impact on the way accounting of disclosures are implemented. ONC’s interim final rule published, on January 13, 2010, included an adopted security and privacy standard to “Record actions related to electronic health information,” the text of which said that audit data must be recorded when electronic health information is “created, modified, deleted, or printed.” Based on comments described by ONC in the final rule, many urged the addition of the word “accessed” to the standard to include read-only actions within the scope of the audit requirement. This change was included in the final text of the standard (and the action “printed” was removed), with the implication that now audit records should provide more value to entities seeking to identify authorized EHR user who misuse or inappropriately access health records. Should this sort of logic be applied to the accounting of disclosures rules when they are written, considering read-only viewing of a record to be a “disclosure” would go a long way towards making the accounting of disclosures a comprehensive history of all uses of health records, and to providing stronger access controls that enhance privacy protections for personal health information.